- For folks not familiar with you and your background, can you tell us a bit about that?

- How about Resourcely, how did it come about and what problem did you set out to tackle?

- Why do you think Cloud Misconfigurations are still so pervasive, despite being fairly well into the Cloud adoption lifecycle?

- How have organizations traditionally tried to handle secure configurations, in terms of establishing them, maintaining them, monitoring for drift and so on?

- Where do you think we're headed, I know you all recently had your capability go GA and you discuss concepts such as blueprints, frameworks, paved paths etc.

- You've been talking a lot about the Death of DevSecOps. Let's chat about that, what case are you making with regard to DevSecOps and where the industry is headed?

- First off, for folks now familiar with your background, can you tell us a bit about yourself?

- You made the leap from working for a firm to founding your own talent and recruiting company. Can you tell us about that decisions and experience?

- Before we dive into specific topics, what are some of the biggest workforce trends you are seeing in cyber currently? I have seen you talk about the pendulum shift from workers to employers on aspects like remote roles, and so on. What is the current dynamic across the cyber landscape broadly at the moment?

- The cyber workforce is often discussed painfully, with talks of struggles to attract and retain technical talent, but I feel like it isn't just a headcount problem. We also often see absolutely awful PD's and processes that impact organizations hiring abilities. What are your thoughts here?

- You're often seeking out some of the best talent for leading organizations. What sort of experiences, qualities and characteristics do you find yourself looking for in candidates that make them stand out from the broader workforce?

- Conversely, what are some things you see organizations doing the best that really set them apart from others when it comes to building amazing security teams?

- What can folks be doing to try and best position themselves for their dream role? What are key things to keep in mind and emphasize from an expertise, personal branding, resume and other factors perspectives?

- For folks not familiar with you or the Miggo team, can you tell us a bit about your background?

- How do you define ADR and why do you think we have seen the need for this new category of security tooling to come about?

- Most organizations are struggling with vulnerability overload, with massive vulnerability backlogs and struggles around vulnerability prioritization. Can you share some insights on how you all tackle this problem?

- We're increasingly seeing the AppSec space become more complex, with Cloud, API's, Microservices, IaC and more. What do you see as some of the most critical trends in the AppSec space currently?

- First off, for those that don't know you or your work, would you mind telling us a bit about your background?

- You recently published a paper titled "Secure-by-Design at Google" which got a lot of attention. Can you tell us about the paper and some of the key themes it emphasizes?

- In the paper you discuss some of the unique aspects of software that are different from mass-produced physical systems. Such as their dynamic and iterative nature. On one hand you mention how the risk of introducing a new defect over time for a physical system after manufacturing is low, unlike software. I know Google are big proponents of DORA for example, and past papers have shown organizations that are capable of routinely delivering software to production at-scale also have more resilient outcomes, this seems to be both a risk and a benefit of software over physical systems?

- You also discuss the need for Secure Default Configurations. Historically it feels like producers have erred on the side of functionality and usability over secure default configurations, and we have even heard CISA begin using terms like "loosening guides" over hardening guides. Do you feel the two concepts of security and usability at inherently at odds, or need to be?

- One aspect of your paper that really jumped out to me is that "developers are users too". I feel like this is even more pertinent with both the rise of software supply chain attacks and the realization that most defects are introduced by Developers and also they are best positioned to address flaws and vulnerabilities. How critical do you think it is to design systems with this in mind?

- Some may pushback and say it is easy for Google to say advocate this approach of Secure-by-Design due to their incredible expertise and resources, but obviously, and conversely, Google has a scale in terms of challenges that most organizations can't fathom. How does Google balance the two?

- What role do you think leading software suppliers and organizations such as Google have to play when it comes to ensuring a more resilient digital ecosystem for everyone?

- First off, for folks that don't know you, can you tell us a bit about your current role and background?

- On that same note, can you tell the audience a bit about Anduril, the mission of the organization and some of the current initiatives it is working on?

- What are some of the biggest challenges of being a new entrant in a space such as the DoD, which has longstanding system integrators and large prime contractors who have deep relationships, industry expertise/experience and so on?

- I know you're passionate about the ATO process. What are your thoughts on how it stands currently and the impact it has on both new entrants, as well as impacting the ability to get innovative capabilities into the hands of warfighters and mission owners?

- CMMC

- We know your organization is looking to bring innovative commercial technologies into Defense, what are some of the challenges there beyond the ATO aspect?

- Outside of the technical aspect, we know the DoD and Federal space have longstanding challenges with attracting and retaining technical talent. How does that impact your abilities to be effective in this space with your Government peers, and additionally, how does Anduril navigate that when looking to attract modern digital talent to a space like Defense?

- Many are now arguing that cybersecurity is a domain of warfare and we're seeing the use of phrases such as "Software-Defined Warfare" by organizations such as The Atlantic Council. How important do you think modern digital capabilities are to national security and why?

- DevSecOps thoughts

- For those that don't know you or haven't come across you quite yet, can you tell us a bit about your background in tech/cyber and your role with GitHub?

- What exactly is the GitHub Advisory Database and what is the mission of the team there?

- There's been a big focus on vulnerability databases, especially lately with some of the challenges of the NVD. What role do you see among the other vulnerability databases in the ecosystem, including GHAD and how it fits into the ecosystem?

- GitHub has a very unique position, being the most widely used development platform in the world, boasting millions of users. How do you all use that position and the insights from it to help drive vulnerability awareness across the ecosystem?

- There's been a large focus on software supply chain security, including securing OSS. What are your thoughts on these trends and some ways we can combat these risks?

- You're also involved with the CVE program, can you tell us about that?

- We know you collaborate with another group, out of OpenSSF, known as the Vulnerability Disclosure Working Group. What does that group do and what role do you play?

- For those don't know your background or Nucleus Security, can you start by telling us a bit about both?

- You have experience and a background in the Federal environment, and Nucleus recently achieved their FedRAMP authorization, can you tell us a bit about that process?

- When you look at the Federal/Defense/IC VulnMgt landscape, what are some of the biggest problems from your experience and where do you think innovative products and solutions can help?

- Going broader, we have seen a recent uptick in the interest around VulnMgt, and looking to modernize the way we do things. What do you think is driving this recent focus on VulnMgt and what major innovations or disruptions in the space do you see underway?

- What do you feel helps differentiate Nucleus Security from some of the other competitors we see in this space focusing on this problem?

- We're seeing a big push for Secure-by-Design software, which of course deals with driving down vulnerabilities, and repeated classes of vulnerabilities. What's your take on this push and do you see it being effective?

- For those unfamiliar, please tell us a bit about your background, as well as about RAD Security. What do you all focus on and specialize in?

- Your team recently was part of the RSAC Innovation Sandbox. Can you tell us a bit about that experience, and being able to highlight the innovative capabilities of RAD to such a key audience?

- You recently published a comprehensive resource on Kubernetes Security Posture Management (KSPM), what are some of the key items in there folks need to be focusing on?

- The RAD security team emphasizes their fingerprint capability for Kubernetes workloads. Can you unpack that this is and how it differs from say signature based security tools and so on?

- When thinking about software supply chain security, how does Kubernetes fit in, given the current digital landscape and explosive growth of Kubernetes and Containerized workloads?

- You all are big proponents of runtime security, a category that is getting increased attention latest in the security industry. Why do you think runtime is so critical, compared to say some other tools or products that may focus on different aspects of the SDLC or lean into "shifting left" for example?